deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update based on editorial edits

Browse Source
This commit is contained in:
Joey Caparas
2017-02-08 11:48:38 -08:00
parent fc7b0219b4
commit 931638efda
1 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
View File

@ -25,23 +25,25 @@ Advanced cybersecurity attacks comprise of multiple complex malicious events, at
With Windows Defender ATP, you can create custom threat indicators that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom indicators will only appear in your organization and will flag events that you set it to track. With Windows Defender ATP, you can create custom threat indicators that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom indicators will only appear in your organization and will flag events that you set it to track.
Before creating custom threat indicators, it's important to know the concepts behind Alert definitions and Indicators of Compromise (IOCs) and the relationship between them. Before creating custom threat indicators, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them.
## Alert definitions ## Alert definitions
Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of events, tools, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly intervening the chain of events before an attacker's objective is reached. Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached.
## Indicators of Compromise (IOC) ## Indicators of compromise (IOC)
IOCs are individual known malicious events that indicate that a network or machine has already been breached. Unlike Alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. IOCs are individual known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
## Relationship between Alert definitions and IOCs ## Relationship between alert definitions and IOCs
In the context of Windows Defender ATP, Alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the Alert definitions. Metadata such as Alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Custom TI API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#custom-ti-api-metadata). In the context of Windows Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Custom TI API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#custom-ti-api-metadata).
IOCs define the actual concrete detection logic based on type, value and detection function and the corresponding Alert definition ID to be identified with. Each IOC has a type, value, and an action for example: Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Windows Defender ATP console.
Here is an example of an IOC:
- Type: Sha1 - Type: Sha1
- Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56 - Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
- Action: Equals - Action: Equals
IOCs have a many-to-one relationship with Alert definitions such that an Alert definition can have many IOCs that correspond to it. IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
## Related topic ## Related topic
- [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md)